标签:domain crt 证书 ca OpenSSL private SSL certs key
本文介绍的OpenSSL脚本
- 采用自签名CA,以方便多份证书的签发和使用
- 支持SAN(主体备用名称)
- 包含各种文件格式的导出脚本,并简述文件用法
1. 证书的请求
创建目录接口
mkdir ssl
cd ssl
mkdir certs private csr conf
# intial directory structure
# ssl/
# ├── certs/
# ├── conf/
# │ ├── ca.conf
# │ └── localhost.conf
# ├── csr/
# └── private/
解释扩展名
Notes on file extensions
*.crt - PEM-encded single certificate or multiple certificates
*-cert.crt signed certificate (-----CERTIFICATE-----)
*-chain.crt list of certificates from intermediates to root
*.key - PEM-encoded private key
*-rsa.key PKCS#1 (-----RSA PRIVATE KEY-----)
*.key PKCS#8 (-----PRIVATE KEY-----) or SEC1 (-----EC PRIVATE KEY-----)
*.jks - JKS kind of Java keystore (certificate + private key)
*.jts - JKS-type truststore (certificates)
*-cert.p12 - PKCS12-type keystore (certificate + private key)
*-chain.p12 - PKCS12-type truststore (certificates)
*.pfx - PKCS12-type Microsoft PFX
准备配置文件conf/ca.conf以创建CA
[ req ]
default_bits = 2048
default_keyfile = private/ca-encrypted.key
distinguished_name = subject
req_extensions = req_ext
x509_extensions = v3_ca
# The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description).
# Its sort of a mashup. For example, RFC 4514 does not provide emailAddress.
[ subject ]
# Country Name (2 letter code)
C=CN
# State or Province Name (full name)
ST=BJ
# Locality Name (eg, city)
L=Beijing
# Organization Name (eg, company)
O=WebDev Org
# Organization Unit (eg, department, sub-company, job-type, regions)
OU=IT Dept
# Common Name (e.g. server FQDN or Authority Name)
CN=WebDev CA
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = CA:TRUE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning
[ v3_ca ]
basicConstraints = critical,CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, cRLSign, digitalSignature, keyCertSign
#subjectAltName = @alt_ica
extendedKeyUsage = clientAuth, serverAuth, codeSigning
创建CA
#
# create CA
#
# 1. generate a rsa key for CA
openssl genrsa -aes256 -out private/ca-rsa.key 2048
# 2. convert private key from PKCS#1 to PKCS#8
openssl pkcs8 -topk8 -inform PEM -in private/ca-rsa.key -outform PEM -out private/ca-encrypted.key
# 3. create ca certificate
openssl req -new -config conf/ca.conf \
-subj "/C=CN/ST=BJ/L=Beijing/O=Web Dev Org/OU=IT Dept/CN=WebDev CA" \
-x509 -sha256 -days 3650 -key private/ca-encrypted.key -out certs/ca.crt
创建证书签名请求
#
# create certificate signing request
#
# the domain name (e.g. example.com)
domain=localhost
# 1. create a server rsa key
openssl genrsa -out private/$domain-rsa.key 2048
# 2. convert rsa key to pkcs8 key (without password protection)
openssl pkcs8 -topk8 -nocrypt -inform PEM -in private/$domain-rsa.key -outform PEM -out private/$domain.key
# 3. create a server certificate request
openssl req -new -sha256 \
-subj "/C=CN/ST=BJ/L=Beijing/O=Web Dev Org/OU=IT Dept/CN=localhost" \
-key private/$domain.key \
-out csr/$domain.csr
准备配置文件conf/localhost.conf以签发证书请求
[ x509_extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature
subjectAltName = @alternate_names
extendedKeyUsage = serverAuth,clientAuth
[ alternate_names ]
DNS.1 = localhost
DNS.2 = loopback
IP.1 = 127.0.0.1
IP.2 = 127.0.1.1
签发证书请求
#
# sign a certificate request
#
# the domain name (e.g. localhost)
domain=localhost
# 1. sign a certificate
openssl x509 -req \
-days 730 \
-in csr/$domain.csr \
-CA certs/ca.crt -CAkey private/ca-encrypted.key -CAserial certs/ca.srl -CAcreateserial \
-extfile conf/$domain.conf -extensions x509_extensions \
-out certs/$domain-cert.crt
#
# test certificate with SSLServer and SSLClient
#
# on one tty window
openssl s_server -accept 1443 -www -key private/$domain.key -cert certs/$domain-cert.crt
# on another tty window
openssl s_client -showcerts -connect $domain:1443 -CAfile certs/ca.crt
导出各种HTTP服务端所需格式
#
# export for HTTP Servers
#
# create certificate chain (for Apache / Tomcat / Node.js)
cp certs/ca.crt certs/$domain-chain.crt
# create self_plus_intermediates_plus_root (for Nginx)
cat certs/$domain-cert.crt <(echo) certs/$domain-chain.crt > certs/$domain.crt
# create java keystore in PKCS12 (for Java 9+, Java 8)
openssl pkcs12 -export -in certs/$domain-cert.crt -inkey private/$domain.key -name "$domain" -out certs/$domain-cert.pfx
$JAVA_HOME/bin/keytool -importkeystore -srcstoretype PKCS12 -srckeystore certs/$domain-cert.pfx \
-alias "$domain" -deststoretype PKCS12 -destkeystore certs/$domain-cert.p12
$JAVA_HOME/bin/keytool -importkeystore -srcstoretype PKCS12 -srckeystore certs/$domain-cert.pfx \
-alias "$domain" -deststoretype JKS -destkeystore certs/$domain-cert.jks
导出各种HTTP客户端所需格式
#
# export for HTTP Clients
#
# create PKCS12 truststore (for Windows)
openssl pkcs12 -export -in certs/ca.crt -nokeys -name "WebDev CA" -out certs/ca.pfx
# create PKCS12 truststore (for Java 9+, Java 8)
$JAVA_HOME/bin/keytool -importcert -file certs/ca.crt -alias "WebDev CA" -storetype PKCS12 -keystore certs/$domain-chain.p12 -noprompt
$JAVA_HOME/bin/keytool -importcert -file certs/ca.crt -alias "WebDev CA" -storetype JKS -keystore certs/$domain-chain.jts -noprompt
# append this CA to ca bundle (for Postman)
cat certs/ca.crt <(echo) >> certs/ca-certs.crt
2. 已签发证书的用法(用于服务端)
配置Nginx,在nginx.conf中使用
ssl_certificate /etc/nginx/ssl/certs/localhost.crt;
ssl_certificate_key /etc/nginx/ssl/private/localhost.key;
配置Tomcat 8.5+,在server.xml中使用
<SSLHostConfig>
<Certificate certificateKeyFile="/etc/nginx/ssl/private/localhost.key"
certificateFile="/etc/nginx/ssl/certs/localhost-cert.crt"
certificateChainFile="/etc/nginx/ssl/certs/localhost-chain.crt"
type="RSA" />
</SSLHostConfig>
<!-- or -->
<SSLHostConfig truststoreFile="/etc/nginx/ssl/certs/localhost-chain.jts"
truststorePassword="changeit"
truststoreType="JKS">
<Certificate
certificateKeystoreFile="/etc/nginx/ssl/certs/localhost-cert.jks"
certificateKeystorePassword="changeit"
certificateKeystoreType="JKS"
certificateKeyAlias="localhost"
type="RSA" />
</SSLHostConfig>
<!-- or -->
<SSLHostConfig truststoreFile="/etc/nginx/ssl/certs/localhost-chain.p12"
truststorePassword="changeit"
truststoreType="PKCS12">
<Certificate
certificateKeystoreFile="/etc/nginx/ssl/certs/localhost-cert.p12"
certificateKeystorePassword="changeit"
certificateKeystoreType="PKCS12"
certificateKeyAlias="localhost"
type="RSA" />
</SSLHostConfig>
编写Node.js脚本,在server.js中使用
let server=https.createServer({
key: fs.readFileSync("/etc/nginx/ssl/private/localhost.key"),
cert: fs.readFileSync("/etc/nginx/ssl/certs/localhost-cert.crt"),
ca: fs.readFileSync("/etc/nginx/ssl/certs/localhost-chain.crt"),
});
配置webpack-dev-server,在webpack.config.js中使用
module.exports = {
devServer: {
https: {
key: '/etc/nginx/ssl/private/localhost.key',
cert: '/etc/nginx/ssl/certs/localhost-cert.crt',
ca: '/etc/nginx/ssl/certs/localhost-chain.crt',
},
},
};
3. 自签名CA证书的用法(用于客户端)
导入到Windows
双击CA证书certs/ca.pfx,安装证书(存储位置为"本地计算机",证书存储为"受信任的根证书颁发机构")。
导入后适用于 IE、Edge及其WebView、Chrome、基于Chromium的浏览器等等
导入到Firefox
注:如果已经将自签名CA证书certs/ca.pfx导入到Windows,那么可通过访问about:config设置security.enterprise_roots.enabled为true来共享Windows受信任的根证书而无需再Firefox单独导入
在Firefox Settings / Certificates / View Certificates / 导入ca.pfx文件到"Your Certificates
导入到Postman
在Postman Settings / Certificates / CA Certificates指定合并的CA合辑文件/etc/nginx/ssl/certs/ca-bundle.crt
导入到Java HTTP客户端
在VM arguments,添加-Djavax.net.ssl.trustStore=/etc/nginx/ssl/certs/localhost-chain.jts -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStoreType=JKS,对于Java9+也可换成-Djavax.net.ssl.trustStore=/etc/nginx/ssl/certs/localhost-chain.p12 -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStoreType=PKCS12
4. 附录
服务端证书配置文件conf/example.com.conf
[ x509_extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature
subjectAltName = @alternate_names
extendedKeyUsage = serverAuth, clientAuth
[ alternate_names ]
DNS.1 = example.com
DNS.2 = *.example.com
ECC的申请和签发
#
# create EC CA
#
# find curve with `openssl ecparam -list_curves`
# generate a private key for a curve
openssl ecparam -genkey -name prime256v1 -noout -out private/ca-ec.key
# generate a encrypted edition of the private key
openssl ec -aes256 -in private/ca-ec.key -out private/ca-ec-encrypted.key
# create ca certificate
openssl req -new -config conf/ca.conf \
-subj "/C=CN/ST=BJ/L=Beijing/O=Web Dev Org/OU=IT Dept/CN=WebDev ECC CA" \
-x509 -sha256 -days 3650 -key private/ca-ec-encrypted.key -out certs/ca-ec.crt
#
# create certificate aigning request
#
# the domain name (e.g. example.com)
domain=foo.apps.example.com
# generate a private key
openssl ecparam -genkey -name prime256v1 -out private/$domain.key
# create a certificate signing request
openssl req -new \
-subj "/C=CN/ST=BJ/L=Beijing/O=Web Dev Org/OU=IT Dept/CN=$domain" \
-key private/$domain.key \
-out csr/$domain.csr
# optionally, generate corresponding public key
openssl ec -in private/$domain.key -pubout -out public/$domain.pub
#
# sign for certificate request
#
# the domain name (e.g. example.com)
domain=example.com
openssl x509 -req \
-sha256 -days 730 \
-in csr/$domain.csr \
-CA certs/ca-ec.crt -CAkey private/ca-ec-encrypted.key -CAserial certs/ca-ec.srl -CAcreateserial \
-extfile conf/$domain.conf -extensions x509_extensions \
-out certs/$domain-cert.crt
#
# export for HTTP Servers
#
# create certificate chain (for Apache, Tomcat, Node.js)
cp certs/ca-ec.crt certs/$domain-chain.crt
# for Nginx
cat certs/$domain-cert.crt <(echo) certs/ca-ec.crt > certs/$domain.crt
#
# export for HTTP Clients
#
# create PKCS12 truststore (for Windows, Firefox)
openssl pkcs12 -export -in certs/ca-ec.crt -nokeys -out certs/ca-ec.pfx
# append this CA to ca bundle (for Postman)
cat certs/ca-ec.crt <(echo) >> certs/ca-certs.crt
标签:domain,crt,证书,ca,OpenSSL,private,SSL,certs,key 来源: https://blog.csdn.net/flashdelover/article/details/121014562
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。